This paper investigates the complications of designing effective governance for IT risk management (IT-RM). Literature on formal governance suggests that either a coercive (i.e., to force employees' effort and compliance) or an enabling (i.e., to help employees better to master their tasks) design of procedures help to avoid what literature calls ‘mock bureaucracy’ (i.e., rules are promulgated for their symbolic value but ignored in practice). Our analysis of two organizations, however, implies that both coercive and enabling governance for IT-RM may lead to mock bureaucracy. We categorize antecedents of ‘mock’ IT-RM procedures and identify important design challenges for IT-RM research and practice. Our study contributes to the IT governance body of knowledge by linking types of bureaucracy to IT governance tasks and providing anti-patterns associated with IT-RM procedures.